So some stuff from my Past! No we aren't in a therapy session! I thought I would bring some stuff I have built for customers in the past, this one was a script to validate DNS records and perform an update if needed.

So wanted to take a few minutes to talk about Expedited release in Windows Autopatch. This is a function that flies a little under the radar as it's not something we use very often but when we need it, WE NEED IT!

So talking about the Task sequence built to facilitate AD to Hybrid Azure AD join I started with a task sequence because let's face it majority of on-premise enterprise environments are running SCCM and leveraging Task Sequences and Task Sequences are just an elegant way to execute what I was looking for.

Creating a Provisioning Package is a supported method to provide an unattended method to Join a device to Azure AD, as you have probably noticed if you have spent time looking into options there aren't many supported options other than manually with in windows or through a process like Autopilot.

So this is an interesting topic and one I have to be clear This is not a Microsoft supported process today (Though all the steps on their own are supported). We are pushing for Microsoft to provide a formally supported method but until then this might do. Internally we more commonly refer to this process as Hybrid to Azure AD Join as it refers to the device having a relationship with Azure AD through Hybrid Registration, but the trust anchor is still AD and still requires that pesky line of sight as well as all the overhead of legacy Active Directory.

Here are some links bringing together some of the major resources used to build a foundational Enteprises build.

So I have been asked about how to get those standard apps ready on most enterprise builds. These are simple, not to complicated not getting to crazy. Many admins make the mistake if there is a configuration I must configure it! This will lead to a world of pain, years of deploying Microsoft products has taught me to take the approach LESS IS MORE.

In my time deploying enterprise ready windows builds around the world I have seen some pretty consistent configurations, which take us down a deep deep HOLE! of Group Policy.

Group policy is a familiar tool to everyone in the windows management / admin space. For years we have bet our device security and reliability on Group Policy and all too often taken advantage of all that we can do with it.. Often times finding ourselves in situations where we ask why did this happen, and the common response is "I don’t know! It was there when I picked up this mess" Well I often get asked at what point do I look over existing group policy to model our Enterprise ready build. My answer is Never! Well almost never, we might grab things like drive mappings, and 3rd party applications Reg keys in Group policy preferences, but aside from that STAY AWAY!

So I have had quite a few customers ask me about what I set when configuring autopilot profiles and why? For the sake of the post I will focus on Azure AD join mainly because Hybrid is a nightmare of complexity and I have found very few cases where Hybrid was the better choice, I always encourage start with Azure AD join and move back to hybrid if nothing else.

Bit locker is not a new technology it has been around for many years, and I remember the day of deploying MBAM for enterprises, and fighting with TPM preparation scripts and logic as well as firmware configurations before the technology was really standardized.

So this was something which came up a few months back with a customer, we realized in many organizations DNS Search suffix is set by AD Group Policy or the DHCP scope using options. But when deploying an Azure AD join device without line of sight we may not get search suffix and after connecting VPN UNC paths and some internal sites were failing.

So a few years ago yes I said a few years ago, I had a customer ask if it were possible to Redirect more than just Desktop, Documents, and Pictures in OneDrive which is included natively in Known folder redirection? Interesting thought they, like many organizations have been using folder redirection of various folders in a user's profile to different network shares to distribute file types by network share. Kind of an archaic approach but more common than you would think.

So let's start by talking about certificated now certificates have been around an extremely long time and are not a new concept in most Enterprises today. In the past we would use services like NDES (Network Device Enrollment Service). For a great blog on NDES and how to deploy check out Jeff Gilberts Blog Link. For the sake of simplicity and modernization I'm going to cover how to deploy certificates in Intune using the relatively new PKCS connector.

So l want to take some time to talk about a new Public Preview Feature call Windows Autopilot Diagnostics. This feature is replacing the existing get-autopilotgdiagnostics.ps1 script developed by the Autopilot Feature team. Diagnostics is critical to developing a successful Hybrid Azure AD join when troubleshooting ODJ Blob response and SCP lookup.

Now it's time to check out the ESP on Windows 11 through an Autopilot Deployment. In my environment I'm running on a Hyper-V VM so Network is already there so first boot goes straight into updates as expected. Nice fresh UI for windows 11.

So I spent some time playing with Windows 11 Autopilot today and really liked the new out of box experience. And with that we have a new autopilot ESP as well. Here are my thoughts…

So trusted site is an important part of any enterprise environment. This policy controls the user experience, when accessing certain website allowing pass through authentication or SSO. Also allowing certain security controls to be bypassed for trusted sites such as Active X and various resource mappings. I'm not going to dig into that side of things, but cover how to take your existing site to zone assignment and deploy it through Intune for Azure AD Joined machines or even hybrid to replace the GPO.

So one critical part of any successful Autopilot process is targeting, we need a way of pointing our Autopilot Devices to the correct profiles. Now I always try to keep these down to a single profile for traditional AAD or even Hybrid if you have no choice, but you may want to dabble in auto deploy scenarios which will require another profile, and well we can't just do a one size fits all.. So Dynamic Device AAD Groups and Grout Tags are our focus on this blog article.